fixed DPD null state bug

2009-03-30 03:47:14 +00:00 · 2009-03-30 03:47:14 +00:00 · 79b2729490
parent ab6923f28c
commit 79b2729490
4 changed files with 16 additions and 4 deletions
--- a/10
+++ b/10
@ -5,6 +5,16 @@ strongswan-4.2.14
  relays EAP messages to and from a RADIUS server. Succesfully
  tested with with a freeradius server using EAP-MD5 and EAP-SIM.

+- A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
+  Gerd v. Egidy <gerd.von.egidy@intra2net.com> of Intra2net AG affecting
+  all Openswan and strongSwan releases. A malicious (or expired ISAKMP)
+  R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet can cause the
+  pluto IKE daemon to crash and restart. No authentication or encryption
+  is required to trigger this bug. One spoofed UDP packet can cause the
+  pluto IKE daemon to restart and be unresponsive for a few seconds while
+  restarting. This DPD null state vulnerability has been officially
+  registered as CVE-2009-0790 and is fixed by this release.
+
 - ASN.1 to time_t conversion caused a time wrap-around for
  dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
  As a workaround such dates are set to the maximum representable
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@ -5446,9 +5446,9 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
   time_t tm = now();
    u_int32_t seqno;

-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+    if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
    {
-        loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISKAMP SA");
+        loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA");
        return STF_IGNORE;
    }
    if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
@ -5516,10 +5516,10 @@ dpd_inR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
 {
    u_int32_t seqno;

-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+    if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
    {
        loglog(RC_LOG_SERIOUS
-	    , "DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA");
+	    , "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA");
        return STF_FAIL;
    }

--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@ -242,6 +242,7 @@ static struct vid_struct _vid_tab[] = {
 	DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
 	DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")

+	DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.9")
 	DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
 	DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
 	DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6")
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@ -94,6 +94,7 @@ enum known_vendorid {
  VID_STRONGSWAN_2_8_6		= 72,
  VID_STRONGSWAN_2_8_7		= 73,
  VID_STRONGSWAN_2_8_8		= 74,
+  VID_STRONGSWAN_2_8_9		= 75,

  VID_STRONGSWAN_4_0_0		= 80,
  VID_STRONGSWAN_4_0_1		= 81,